Transparent proxy with Squid on OpenBSD 5.4

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Transparent proxy with Squid on OpenBSD 5.4

Romain FABBRI - Alien Consulting
Hi,

I’m trying to do a transparent webfiltering bridge with squid.
I’ve used the packages for 5.4 which are squid-3.3.8 and squidGuard-1.4p6

Squid is working fine when the browser uses the vether0 administration
interface of the bridge.
I mean sites are cached and squidGuard is filtering according to my tests
rules.

But it’s not working when using the bridge as a transparent proxy (without
specifying a proxy server).
If someony could give me some advice that would be really helpfull.

Here is my /etc/pf.conf

# Macros & Tables
ext_if="bge0"
int_if="bge1"

# Options
set skip on lo
set skip on {pfsync}
set reassemble yes no-df

# Redirect www to our transparent squid proxy
pass in quick log on $ext_if inet proto tcp to port 80 divert-to 127.0.0.1
port 3128
pass out quick from 127.0.0.1 divert-reply

# Allow SSH
pass quick inet proto tcp from any to 192.168.200.253 port ssh

# Allow mail
pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 } keep
state

# Allow Ping/Traceroute/DNS
pass quick inet proto udp from any to any port domain
pass quick inet proto tcp from any to any port domain flags S/SA synproxy
state
pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state

I’ve tried almost every tutorial on the net but I had no luck with any of
them using OpenBSD 5.4 and Squid 3.3.8…
So I’m posting to know if anybody has done this kind of configuration
successfully.

Happy New Year
Romain



In /etc/squid/squid.conf I have configured ports like that :

http_port 3128
http_port 127.0.0.1:3129 intercept

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Cremator
Hello,

First I have only one line in my pf.conf and it is:
 pass in log on $int_if inet proto tcp from any \
 to port { 80, 8080 } divert-to 127.0.0.1 port 3128

Second my squid.conf has only one line and it is:
http_port 127.0.0.1:3128 intercept

In your config files you are redirecting to port 3128
and you are intercepting at port 3129.


On Thu, Jan 2, 2014 at 7:55 PM, Romain FABBRI - Alien Consulting <
[hidden email]> wrote:

> Hi,
>
> I’m trying to do a transparent webfiltering bridge with squid.
> I’ve used the packages for 5.4 which are squid-3.3.8 and squidGuard-1.4p6
>
> Squid is working fine when the browser uses the vether0 administration
> interface of the bridge.
> I mean sites are cached and squidGuard is filtering according to my tests
> rules.
>
> But it’s not working when using the bridge as a transparent proxy (without
> specifying a proxy server).
> If someony could give me some advice that would be really helpfull.
>
> Here is my /etc/pf.conf
>
> # Macros & Tables
> ext_if="bge0"
> int_if="bge1"
>
> # Options
> set skip on lo
> set skip on {pfsync}
> set reassemble yes no-df
>
> # Redirect www to our transparent squid proxy
> pass in quick log on $ext_if inet proto tcp to port 80 divert-to 127.0.0.1
> port 3128
> pass out quick from 127.0.0.1 divert-reply
>
> # Allow SSH
> pass quick inet proto tcp from any to 192.168.200.253 port ssh
>
> # Allow mail
> pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 }
> keep
> state
>
> # Allow Ping/Traceroute/DNS
> pass quick inet proto udp from any to any port domain
> pass quick inet proto tcp from any to any port domain flags S/SA synproxy
> state
> pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state
>
> I’ve tried almost every tutorial on the net but I had no luck with any of
> them using OpenBSD 5.4 and Squid 3.3.8…
> So I’m posting to know if anybody has done this kind of configuration
> successfully.
>
> Happy New Year
> Romain
>
>
>
> In /etc/squid/squid.conf I have configured ports like that :
>
> http_port 3128
> http_port 127.0.0.1:3129 intercept

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Romain FABBRI - Alien Consulting
Thanks,

I tried according to your configuration :

First test using the 3128 port as a divert-to port and as a squid http_port
with tproxy or intercept statement
=> No traffic is getting diverted by pf

Second test :
  Same test but using the 3129 port as a divert-to port
  2 lines un squid.conf file :
     http_port 3128
     http_port 127.0.0.1:3129 tproxy     // I also tried with intercept too
but no change

In both tests : the web traffic (http 80) doesn't get caught by the
divert-to directive...
I tried to tcpdump on the lo0 interface but I got nothing.

Seems like a pf problem to me...

My browser accessed the internet without any restriction and without being
cached...

-----Message d'origine-----
De : [hidden email] [mailto:[hidden email]] De la part de
Cremator
Envoyé : jeudi 2 janvier 2014 20:29
À : Romain FABBRI - Alien Consulting
Cc : Misc OpenBSD
Objet : Re: Transparent proxy with Squid on OpenBSD 5.4

Hello,

First I have only one line in my pf.conf and it is:
 pass in log on $int_if inet proto tcp from any \  to port { 80, 8080 }
divert-to 127.0.0.1 port 3128

Second my squid.conf has only one line and it is:
http_port 127.0.0.1:3128 intercept

In your config files you are redirecting to port 3128 and you are
intercepting at port 3129.


On Thu, Jan 2, 2014 at 7:55 PM, Romain FABBRI - Alien Consulting <
[hidden email]> wrote:

> Hi,
>
> Im trying to do a transparent webfiltering bridge with squid.
> Ive used the packages for 5.4 which are squid-3.3.8 and
> squidGuard-1.4p6
>
> Squid is working fine when the browser uses the vether0 administration
> interface of the bridge.
> I mean sites are cached and squidGuard is filtering according to my
> tests rules.
>
> But its not working when using the bridge as a transparent proxy
> (without specifying a proxy server).
> If someony could give me some advice that would be really helpfull.
>
> Here is my /etc/pf.conf
>
> # Macros & Tables
> ext_if="bge0"
> int_if="bge1"
>
> # Options
> set skip on lo
> set skip on {pfsync}
> set reassemble yes no-df
>
> # Redirect www to our transparent squid proxy pass in quick log on
> $ext_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3128 pass
> out quick from 127.0.0.1 divert-reply
>
> # Allow SSH
> pass quick inet proto tcp from any to 192.168.200.253 port ssh
>
> # Allow mail
> pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995
> } keep state
>
> # Allow Ping/Traceroute/DNS
> pass quick inet proto udp from any to any port domain pass quick inet
> proto tcp from any to any port domain flags S/SA synproxy state pass
> quick inet proto icmp all icmp-type { echoreq, unreach } keep state
>
> Ive tried almost every tutorial on the net but I had no luck with any
> of them using OpenBSD 5.4 and Squid 3.3.8 So Im posting to know if
> anybody has done this kind of configuration successfully.
>
> Happy New Year
> Romain
>
>
>
> In /etc/squid/squid.conf I have configured ports like that :
>
> http_port 3128
> http_port 127.0.0.1:3129 intercept

[demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf]

[demime 1.01d removed an attachment of type application/octet-stream which had a name of squid.conf]

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Giancarlo Razzolini-3
Em 03-01-2014 07:45, Romain FABBRI - Alien Consulting escreveu:

> Thanks,
>
> I tried according to your configuration :
>
> First test using the 3128 port as a divert-to port and as a squid http_port
> with tproxy or intercept statement
> => No traffic is getting diverted by pf
>
> Second test :
>   Same test but using the 3129 port as a divert-to port
>   2 lines un squid.conf file :
>      http_port 3128
>      http_port 127.0.0.1:3129 tproxy     // I also tried with intercept too
> but no change
>
> In both tests : the web traffic (http 80) doesn't get caught by the
> divert-to directive...
> I tried to tcpdump on the lo0 interface but I got nothing.
>
> Seems like a pf problem to me...
>
> My browser accessed the internet without any restriction and without being
> cached...
>
>
Hi,

    My pf.conf only have one line also which is the one that divert the
relevant traffic to the squid port. My squid.conf has only one http_port
directive that is the intercept one. If you run pfctl -sa -vv do you see
any states created by your divert rule? It seems to me that you have
some issue with your pf rules. From what I saw, they do not specify
directions nor interfaces which might cause you trouble. Also, your
divert rule is on your external interface, that should be done on
packets coming IN your internal interface.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Romain FABBRI - Alien Consulting
I'm now filtering on the inside interface :
    pass in quick log on $int_if inet proto tcp to port 80 divert-to
127.0.0.1 port 3128

It seems that pf is diverting the web traffic since the packets are counted
:

pfctl -sa -vv
   @0 pass in log quick on bge1 inet proto tcp from any to any port = 80
flags S/SA divert-to 127.0.0.1 port 3128
      [ Evaluations: 3534      Packets: 1741      Bytes: 1788725     States:
17    ]
      [ Inserted: uid 0 pid 8777 State Creations: 17    ]

If I comment the default squid port and put the intercept statement as my
divert-to port, like this :
  #http_port 3128
  http_port 127.0.0.1:3128 intercept

I get :
- lots of "ERROR: No forward-proxy ports configured." lines when I run squid
- squidGuard is not blocking sites (that does work in non transparent mode)

Maybe I get the error message because newers version of squid requieres 2
ports (in order to serve files, like icons...)

I find nothing in my squid.conf that would prevent caching when
intercepting...
That's stange...

-----Message d'origine-----
De : Giancarlo Razzolini [mailto:[hidden email]]
Envoyé : vendredi 3 janvier 2014 11:28
À : Romain FABBRI - Alien Consulting; 'Cremator'
Cc : 'Misc OpenBSD'
Objet : Re: Transparent proxy with Squid on OpenBSD 5.4

Em 03-01-2014 07:45, Romain FABBRI - Alien Consulting escreveu:

> Thanks,
>
> I tried according to your configuration :
>
> First test using the 3128 port as a divert-to port and as a squid
> http_port with tproxy or intercept statement => No traffic is getting
> diverted by pf
>
> Second test :
>   Same test but using the 3129 port as a divert-to port
>   2 lines un squid.conf file :
>      http_port 3128
>      http_port 127.0.0.1:3129 tproxy     // I also tried with intercept
too

> but no change
>
> In both tests : the web traffic (http 80) doesn't get caught by the
> divert-to directive...
> I tried to tcpdump on the lo0 interface but I got nothing.
>
> Seems like a pf problem to me...
>
> My browser accessed the internet without any restriction and without
> being cached...
>
>
Hi,

    My pf.conf only have one line also which is the one that divert the
relevant traffic to the squid port. My squid.conf has only one http_port
directive that is the intercept one. If you run pfctl -sa -vv do you see any
states created by your divert rule? It seems to me that you have some issue
with your pf rules. From what I saw, they do not specify directions nor
interfaces which might cause you trouble. Also, your divert rule is on your
external interface, that should be done on packets coming IN your internal
interface.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Romain FABBRI - Alien Consulting
In reply to this post by Giancarlo Razzolini-3
Could somebody provide me a working configuration exemple for pf.conf and
squid.conf on an OpenBSD 5.4 (working as a bridge) ?

I still can't manage to make squid working on my bridge and I don't know
what more tests I could do.

I even tried to compile squid 3.4.2 with '--enable-pf-transparent'
according to documentation :
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf

But stills no magic happens...
- paquets are diverted
- but the netcast test (nc -l 3129) proves that no packets are received by
squid

Thanks,
Romain

-----Message d'origine-----
De : Giancarlo Razzolini [mailto:[hidden email]]
Envoyé : vendredi 3 janvier 2014 11:28
À : Romain FABBRI - Alien Consulting; 'Cremator'
Cc : 'Misc OpenBSD'
Objet : Re: Transparent proxy with Squid on OpenBSD 5.4

Em 03-01-2014 07:45, Romain FABBRI - Alien Consulting escreveu:

> Thanks,
>
> I tried according to your configuration :
>
> First test using the 3128 port as a divert-to port and as a squid
> http_port with tproxy or intercept statement => No traffic is getting
> diverted by pf
>
> Second test :
>   Same test but using the 3129 port as a divert-to port
>   2 lines un squid.conf file :
>      http_port 3128
>      http_port 127.0.0.1:3129 tproxy     // I also tried with intercept
too

> but no change
>
> In both tests : the web traffic (http 80) doesn't get caught by the
> divert-to directive...
> I tried to tcpdump on the lo0 interface but I got nothing.
>
> Seems like a pf problem to me...
>
> My browser accessed the internet without any restriction and without
> being cached...
>
>
Hi,

    My pf.conf only have one line also which is the one that divert the
relevant traffic to the squid port. My squid.conf has only one http_port
directive that is the intercept one. If you run pfctl -sa -vv do you see any
states created by your divert rule? It seems to me that you have some issue
with your pf rules. From what I saw, they do not specify directions nor
interfaces which might cause you trouble. Also, your divert rule is on your
external interface, that should be done on packets coming IN your internal
interface.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Giancarlo Razzolini-3
In reply to this post by Romain FABBRI - Alien Consulting
Em 03-01-2014 09:36, Romain FABBRI - Alien Consulting escreveu:

> I'm now filtering on the inside interface :
>     pass in quick log on $int_if inet proto tcp to port 80 divert-to
> 127.0.0.1 port 3128
>
> It seems that pf is diverting the web traffic since the packets are counted
> :
>
> pfctl -sa -vv
>    @0 pass in log quick on bge1 inet proto tcp from any to any port = 80
> flags S/SA divert-to 127.0.0.1 port 3128
>       [ Evaluations: 3534      Packets: 1741      Bytes: 1788725     States:
> 17    ]
>       [ Inserted: uid 0 pid 8777 State Creations: 17    ]
>
> If I comment the default squid port and put the intercept statement as my
> divert-to port, like this :
>   #http_port 3128
>   http_port 127.0.0.1:3128 intercept
>
> I get :
> - lots of "ERROR: No forward-proxy ports configured." lines when I run squid
> - squidGuard is not blocking sites (that does work in non transparent mode)
>
> Maybe I get the error message because newers version of squid requieres 2
> ports (in order to serve files, like icons...)
>
> I find nothing in my squid.conf that would prevent caching when
> intercepting...
> That's stange...
>
>

Well,

    My setup and the other one provided, do not use a bridge. The
openbsd machine is the default gateway for the machines that are being
intercepted with squid. But the conf both of squid and pf is the same as
yours. It seems to me a issue with your bridge. If you could provide
it's configuration it would be helpful. Also, I do not use squidguard.
Try first make squid to work.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Remco-2
In reply to this post by Romain FABBRI - Alien Consulting
Romain FABBRI - Alien Consulting wrote:

> Hi,
>
> I’m trying to do a transparent webfiltering bridge with squid.
> I’ve used the packages for 5.4 which are squid-3.3.8 and squidGuard-1.4p6
>
> Squid is working fine when the browser uses the vether0 administration
> interface of the bridge.
> I mean sites are cached and squidGuard is filtering according to my tests
> rules.
>
> But it’s not working when using the bridge as a transparent proxy (without
> specifying a proxy server).
> If someony could give me some advice that would be really helpfull.
>
> Here is my /etc/pf.conf
>
> # Macros & Tables
> ext_if="bge0"
> int_if="bge1"
>
> # Options
> set skip on lo
> set skip on {pfsync}
> set reassemble yes no-df
>
> # Redirect www to our transparent squid proxy
> pass in quick log on $ext_if inet proto tcp to port 80 divert-to 127.0.0.1
> port 3128
> pass out quick from 127.0.0.1 divert-reply
>
> # Allow SSH
> pass quick inet proto tcp from any to 192.168.200.253 port ssh
>
> # Allow mail
> pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 }
> keep state
>
> # Allow Ping/Traceroute/DNS
> pass quick inet proto udp from any to any port domain
> pass quick inet proto tcp from any to any port domain flags S/SA synproxy
> state
> pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state
>
> I’ve tried almost every tutorial on the net but I had no luck with any of
> them using OpenBSD 5.4 and Squid 3.3.8…
> So I’m posting to know if anybody has done this kind of configuration
> successfully.
>
> Happy New Year
> Romain
>
>
>
> In /etc/squid/squid.conf I have configured ports like that :
>
> http_port 3128
> http_port 127.0.0.1:3129 intercept

Is it possible that some of your rules are never processed, and therefore have
no effect, because of the "skip" rule on interface "lo" ?

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Romain FABBRI - Alien Consulting
Good Question !
I uncommented a while back the line "set skip on lo"

I checked that they are processed...
They seem to be...

# pfctl -sr -R 0
pass in log quick on bge1 inet proto tcp from 192.168.200.0/24 to any port =
80 flags S/SA divert-to 127.0.0.1 port 3129

# tcpdump -neipflog0 -s 500
tcpdump: listening on pflog0, link-type PFLOG
17:53:05.288153 rule 0/(match) pass in on bge1: 192.168.200.39.3397 >
91.198.174.192.80: S 4055789837:4055789837(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,sackOK> (DF)
17:53:06.300554 rule 0/(match) pass in on bge1: 192.168.200.39.3398 >
91.198.174.202.80: S 4229265567:4229265567(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,sackOK> (DF)
tcpdump: WARNING: compensating for unaligned libpcap packets
17:53:06.306402 rule 0/(match) pass in on bge1: 192.168.200.39.3399 >
91.198.174.208.80: S 1676876276:1676876276(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,sackOK> (DF)
17:53:06.411063 rule 0/(match) pass in on bge1: 192.168.200.39.3400 >
91.198.174.208.80: S 2723830504:2723830504(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,sackOK> (DF)
17:53:07.377297 rule 0/(match) pass in on bge1: 192.168.200.39.3401 >
91.198.174.192.80: S 3539952074:3539952074(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,sackOK> (DF)
17:53:07.624598 rule 0/(match) pass in on bge1: 192.168.200.39.3402 >
91.198.174.192.80: S 2423603451:2423603451(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,sackOK> (DF)


-----Message d'origine-----
De : Remco [mailto:[hidden email]]
Envoyé : vendredi 3 janvier 2014 17:46
À : Romain FABBRI - Alien Consulting
Cc : [hidden email]
Objet : Re: Transparent proxy with Squid on OpenBSD 5.4

Romain FABBRI - Alien Consulting wrote:

> Hi,
>
> I’m trying to do a transparent webfiltering bridge with squid.
> I’ve used the packages for 5.4 which are squid-3.3.8 and
> squidGuard-1.4p6
>
> Squid is working fine when the browser uses the vether0 administration
> interface of the bridge.
> I mean sites are cached and squidGuard is filtering according to my
> tests rules.
>
> But it’s not working when using the bridge as a transparent proxy
> (without specifying a proxy server).
> If someony could give me some advice that would be really helpfull.
>
> Here is my /etc/pf.conf
>
> # Macros & Tables
> ext_if="bge0"
> int_if="bge1"
>
> # Options
> set skip on lo
> set skip on {pfsync}
> set reassemble yes no-df
>
> # Redirect www to our transparent squid proxy pass in quick log on
> $ext_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3128 pass
> out quick from 127.0.0.1 divert-reply
>
> # Allow SSH
> pass quick inet proto tcp from any to 192.168.200.253 port ssh
>
> # Allow mail
> pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995
> } keep state
>
> # Allow Ping/Traceroute/DNS
> pass quick inet proto udp from any to any port domain pass quick inet
> proto tcp from any to any port domain flags S/SA synproxy state pass
> quick inet proto icmp all icmp-type { echoreq, unreach } keep state
>
> I’ve tried almost every tutorial on the net but I had no luck with any
> of them using OpenBSD 5.4 and Squid 3.3.8… So I’m posting to know if
> anybody has done this kind of configuration successfully.
>
> Happy New Year
> Romain
>
>
>
> In /etc/squid/squid.conf I have configured ports like that :
>
> http_port 3128
> http_port 127.0.0.1:3129 intercept

Is it possible that some of your rules are never processed, and therefore
have no effect, because of the "skip" rule on interface "lo" ?

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Romain FABBRI - Alien Consulting
In reply to this post by Giancarlo Razzolini-3
I didn't investigate the bridge in itself since it seems to be working as a
bridge...

#===============================
# Bridge configuration
#===============================

#vi /etc/hostname.bge0
up

#vi /etc/hostname.bge1
up

#vi /etc/hostname.vether0
inet 192.168.200.253 255.255.255.0 192.168.200.255

#vi /etc/hostname.bridge0
add vether0
add bge0
add bge1
up

#vi /etc/mygate
192.168.200.254

#===============================
# PF configuration
#===============================
# Macros & Tables
ext_if="bge0"
int_if="bge1"

# Options
set reassemble yes no-df

# Redirect www to our transparent squid proxy
pass in quick log on $int_if inet proto tcp from 192.168.200.0/24 to port 80
divert-to 127.0.0.1 port 3129
pass out quick on $int_if inet from 192.168.200.0/24 divert-reply

# Allow TerminalServer
pass quick inet proto tcp from any to any port 3389 keep state

# Allow SSH
pass quick inet proto tcp from any to 192.168.200.253 port ssh

# NTP
pass out quick proto udp from $int_if to any port 123 keep state

# Allow mail
pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 } keep
state

# Allow Ping/Traceroute/DNS
pass quick inet proto udp from any to any port domain
pass quick inet proto tcp from any to any port domain flags S/SA synproxy
state
pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state


#=======================================
# Squid configuration
#=======================================

# Only usefull for Squid 2.7
#acl localhost src 127.0.0.1/32
#acl manager proto cache_object
#acl all src 0.0.0.0/0.0.0.0

# Interfacage avec SquidGuard
url_rewrite_program /usr/local/bin/squidGuard -c
/etc/squidguard/squidguard.conf

# Number of redirector processes to spawn
url_rewrite_children  5

# To prevent loops, don't send requests from localhost to the redirector
url_rewrite_access    deny  localhost

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Define sources
acl localnet src 192.168.200.0/24

# Define ports
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 127.0.0.1:3129 tproxy

# Real squid memory cache
cache_mem 1500 MB
maximum_object_size_in_memory 8 MB

# Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64
minimum_object_size 3 KB
maximum_object_size 8 MB

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid/cache 200 16 256

# IP & DNS names memory cache
ipcache_size 5120
fqdncache_size 5120

# File descriptor number
#max_filedescriptors 4096

# Public exposed hostname
visible_hostname openfw.local

# Added to footer of error pages.
cache_mgr [hidden email]

# Log client request activities
access_log /var/squid/logs/access.log squid

# Log information about the cache's behavior
cache_log /var/squid/logs/cache.log

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

polken
i agree with giancarlo why do u need the bridge function? for transparent
proxy u dont need the bridge

> From: [hidden email]
> To: [hidden email]; [hidden email]
> CC: [hidden email]
> Subject: Re: Transparent proxy with Squid on OpenBSD 5.4
> Date: Fri, 3 Jan 2014 17:57:37 +0100
>
> I didn't investigate the bridge in itself since it seems to be working as a
> bridge...
>
> #===============================
> # Bridge configuration
> #===============================
>
> #vi /etc/hostname.bge0
> up
>
> #vi /etc/hostname.bge1
> up
>
> #vi /etc/hostname.vether0
> inet 192.168.200.253 255.255.255.0 192.168.200.255
>
> #vi /etc/hostname.bridge0
> add vether0
> add bge0
> add bge1
> up
>
> #vi /etc/mygate
> 192.168.200.254
>
> #===============================
> # PF configuration
> #===============================
> # Macros & Tables
> ext_if="bge0"
> int_if="bge1"
>
> # Options
> set reassemble yes no-df
>
> # Redirect www to our transparent squid proxy
> pass in quick log on $int_if inet proto tcp from 192.168.200.0/24 to port
80

> divert-to 127.0.0.1 port 3129
> pass out quick on $int_if inet from 192.168.200.0/24 divert-reply
>
> # Allow TerminalServer
> pass quick inet proto tcp from any to any port 3389 keep state
>
> # Allow SSH
> pass quick inet proto tcp from any to 192.168.200.253 port ssh
>
> # NTP
> pass out quick proto udp from $int_if to any port 123 keep state
>
> # Allow mail
> pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 }
keep

> state
>
> # Allow Ping/Traceroute/DNS
> pass quick inet proto udp from any to any port domain
> pass quick inet proto tcp from any to any port domain flags S/SA synproxy
> state
> pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state
>
>
> #=======================================
> # Squid configuration
> #=======================================
>
> # Only usefull for Squid 2.7
> #acl localhost src 127.0.0.1/32
> #acl manager proto cache_object
> #acl all src 0.0.0.0/0.0.0.0
>
> # Interfacage avec SquidGuard
> url_rewrite_program /usr/local/bin/squidGuard -c
> /etc/squidguard/squidguard.conf
>
> # Number of redirector processes to spawn
> url_rewrite_children  5
>
> # To prevent loops, don't send requests from localhost to the redirector
> url_rewrite_access    deny  localhost
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # Define sources
> acl localnet src 192.168.200.0/24
>
> # Define ports
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
> http_port 127.0.0.1:3129 tproxy
>
> # Real squid memory cache
> cache_mem 1500 MB
> maximum_object_size_in_memory 8 MB
>
> # Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64
> minimum_object_size 3 KB
> maximum_object_size 8 MB
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/squid/cache 200 16 256
>
> # IP & DNS names memory cache
> ipcache_size 5120
> fqdncache_size 5120
>
> # File descriptor number
> #max_filedescriptors 4096
>
> # Public exposed hostname
> visible_hostname openfw.local
>
> # Added to footer of error pages.
> cache_mgr [hidden email]
>
> # Log client request activities
> access_log /var/squid/logs/access.log squid
>
> # Log information about the cache's behavior
> cache_log /var/squid/logs/cache.log
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/squid/cache
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Romain FABBRI - Alien Consulting
In fact here is the topology I had in mind :

Computers <=> Switch <=> Webfiltering bridge <=> Router <=> Internet

Since I want my system to do both :
- the bridge role
- webfiltering

... without adding a network (I mean adding a network and make the
Webfiltering box route beetween the two subnets)

I think it is necessary to build a bridge...
And that the design should work...

But I'm still strugling on this matter.


-----Message d'origine-----
De : [hidden email] [mailto:[hidden email]] De la part de
carlos albino garcia grijalba
Envoyé : mercredi 8 janvier 2014 21:29
À : Romain FABBRI - Alien Consulting; [hidden email]; 'Cremator'
Cc : 'Misc OpenBSD'
Objet : Re: Transparent proxy with Squid on OpenBSD 5.4

i agree with giancarlo why do u need the bridge function? for transparent
proxy u dont need the bridge

> From: [hidden email]
> To: [hidden email]; [hidden email]
> CC: [hidden email]
> Subject: Re: Transparent proxy with Squid on OpenBSD 5.4
> Date: Fri, 3 Jan 2014 17:57:37 +0100
>
> I didn't investigate the bridge in itself since it seems to be working
> as a bridge...
>
> #===============================
> # Bridge configuration
> #===============================
>
> #vi /etc/hostname.bge0
> up
>
> #vi /etc/hostname.bge1
> up
>
> #vi /etc/hostname.vether0
> inet 192.168.200.253 255.255.255.0 192.168.200.255
>
> #vi /etc/hostname.bridge0
> add vether0
> add bge0
> add bge1
> up
>
> #vi /etc/mygate
> 192.168.200.254
>
> #===============================
> # PF configuration
> #===============================
> # Macros & Tables
> ext_if="bge0"
> int_if="bge1"
>
> # Options
> set reassemble yes no-df
>
> # Redirect www to our transparent squid proxy pass in quick log on
> $int_if inet proto tcp from 192.168.200.0/24 to port
80

> divert-to 127.0.0.1 port 3129
> pass out quick on $int_if inet from 192.168.200.0/24 divert-reply
>
> # Allow TerminalServer
> pass quick inet proto tcp from any to any port 3389 keep state
>
> # Allow SSH
> pass quick inet proto tcp from any to 192.168.200.253 port ssh
>
> # NTP
> pass out quick proto udp from $int_if to any port 123 keep state
>
> # Allow mail
> pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995
> }
keep

> state
>
> # Allow Ping/Traceroute/DNS
> pass quick inet proto udp from any to any port domain pass quick inet
> proto tcp from any to any port domain flags S/SA synproxy state pass
> quick inet proto icmp all icmp-type { echoreq, unreach } keep state
>
>
> #=======================================
> # Squid configuration
> #=======================================
>
> # Only usefull for Squid 2.7
> #acl localhost src 127.0.0.1/32
> #acl manager proto cache_object
> #acl all src 0.0.0.0/0.0.0.0
>
> # Interfacage avec SquidGuard
> url_rewrite_program /usr/local/bin/squidGuard -c
> /etc/squidguard/squidguard.conf
>
> # Number of redirector processes to spawn url_rewrite_children  5
>
> # To prevent loops, don't send requests from localhost to the redirector
> url_rewrite_access    deny  localhost
>
> # Only allow cachemgr access from localhost http_access allow
> localhost manager http_access deny manager
>
> # Define sources
> acl localnet src 192.168.200.0/24
>
> # Define ports
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
> # Deny requests to certain unsafe ports http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports http_access deny CONNECT
> !SSL_ports
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP
> networks # from where browsing should be allowed http_access allow
> localnet http_access allow localhost
>
> # We strongly recommend the following be uncommented to protect
> innocent # web applications running on the proxy server who think the
> only # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> # And finally deny all other access to this proxy http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
> http_port 127.0.0.1:3129 tproxy
>
> # Real squid memory cache
> cache_mem 1500 MB
> maximum_object_size_in_memory 8 MB
>
> # Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64
> minimum_object_size 3 KB maximum_object_size 8 MB
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/squid/cache 200 16 256
>
> # IP & DNS names memory cache
> ipcache_size 5120
> fqdncache_size 5120
>
> # File descriptor number
> #max_filedescriptors 4096
>
> # Public exposed hostname
> visible_hostname openfw.local
>
> # Added to footer of error pages.
> cache_mgr [hidden email]
>
> # Log client request activities
> access_log /var/squid/logs/access.log squid
>
> # Log information about the cache's behavior cache_log
> /var/squid/logs/cache.log
>
> # Leave coredumps in the first cache dir coredump_dir /var/squid/cache
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

polken
ok but why do u need the bridge? i think that u want it to be there for
intercept the web and let all pass but u can do this without the bridge part
intercepting the web requests and then letting all the other go to router not
sure if the bridge can do this because its function its to be there but the
packets does not know that it is there i mean as far as i know (correct me if
i am wrong) they operate in layer 2 so it never reach higher leves where
interception works

> From: [hidden email]
> To: [hidden email]; [hidden email]; [hidden email]
> CC: [hidden email]
> Subject: RE: Transparent proxy with Squid on OpenBSD 5.4
> Date: Thu, 9 Jan 2014 00:18:43 +0100
>
> In fact here is the topology I had in mind :
>
> Computers <=> Switch <=> Webfiltering bridge <=> Router <=> Internet
>
> Since I want my system to do both :
> - the bridge role
> - webfiltering
>
> ... without adding a network (I mean adding a network and make the
> Webfiltering box route beetween the two subnets)
>
> I think it is necessary to build a bridge...
> And that the design should work...
>
> But I'm still strugling on this matter.
>
>
> -----Message d'origine-----
> De : [hidden email] [mailto:[hidden email]] De la part de
> carlos albino garcia grijalba
> Envoyé : mercredi 8 janvier 2014 21:29
> À : Romain FABBRI - Alien Consulting; [hidden email]; 'Cremator'
> Cc : 'Misc OpenBSD'
> Objet : Re: Transparent proxy with Squid on OpenBSD 5.4
>
> i agree with giancarlo why do u need the bridge function? for transparent
> proxy u dont need the bridge
>
> > From: [hidden email]
> > To: [hidden email]; [hidden email]
> > CC: [hidden email]
> > Subject: Re: Transparent proxy with Squid on OpenBSD 5.4
> > Date: Fri, 3 Jan 2014 17:57:37 +0100
> >
> > I didn't investigate the bridge in itself since it seems to be working
> > as a bridge...
> >
> > #===============================
> > # Bridge configuration
> > #===============================
> >
> > #vi /etc/hostname.bge0
> > up
> >
> > #vi /etc/hostname.bge1
> > up
> >
> > #vi /etc/hostname.vether0
> > inet 192.168.200.253 255.255.255.0 192.168.200.255
> >
> > #vi /etc/hostname.bridge0
> > add vether0
> > add bge0
> > add bge1
> > up
> >
> > #vi /etc/mygate
> > 192.168.200.254
> >
> > #===============================
> > # PF configuration
> > #===============================
> > # Macros & Tables
> > ext_if="bge0"
> > int_if="bge1"
> >
> > # Options
> > set reassemble yes no-df
> >
> > # Redirect www to our transparent squid proxy pass in quick log on
> > $int_if inet proto tcp from 192.168.200.0/24 to port
> 80
> > divert-to 127.0.0.1 port 3129
> > pass out quick on $int_if inet from 192.168.200.0/24 divert-reply
> >
> > # Allow TerminalServer
> > pass quick inet proto tcp from any to any port 3389 keep state
> >
> > # Allow SSH
> > pass quick inet proto tcp from any to 192.168.200.253 port ssh
> >
> > # NTP
> > pass out quick proto udp from $int_if to any port 123 keep state
> >
> > # Allow mail
> > pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995
> > }
> keep
> > state
> >
> > # Allow Ping/Traceroute/DNS
> > pass quick inet proto udp from any to any port domain pass quick inet
> > proto tcp from any to any port domain flags S/SA synproxy state pass
> > quick inet proto icmp all icmp-type { echoreq, unreach } keep state
> >
> >
> > #=======================================
> > # Squid configuration
> > #=======================================
> >
> > # Only usefull for Squid 2.7
> > #acl localhost src 127.0.0.1/32
> > #acl manager proto cache_object
> > #acl all src 0.0.0.0/0.0.0.0
> >
> > # Interfacage avec SquidGuard
> > url_rewrite_program /usr/local/bin/squidGuard -c
> > /etc/squidguard/squidguard.conf
> >
> > # Number of redirector processes to spawn url_rewrite_children  5
> >
> > # To prevent loops, don't send requests from localhost to the redirector
> > url_rewrite_access    deny  localhost
> >
> > # Only allow cachemgr access from localhost http_access allow
> > localhost manager http_access deny manager
> >
> > # Define sources
> > acl localnet src 192.168.200.0/24
> >
> > # Define ports
> > acl SSL_ports port 443
> > acl Safe_ports port 80          # http
> > acl Safe_ports port 21          # ftp
> > acl Safe_ports port 443         # https
> > acl Safe_ports port 70          # gopher
> > acl Safe_ports port 210         # wais
> > acl Safe_ports port 1025-65535  # unregistered ports
> > acl Safe_ports port 280         # http-mgmt
> > acl Safe_ports port 488         # gss-http
> > acl Safe_ports port 591         # filemaker
> > acl Safe_ports port 777         # multiling http
> > acl CONNECT method CONNECT
> >
> > # Deny requests to certain unsafe ports http_access deny !Safe_ports
> >
> > # Deny CONNECT to other than secure SSL ports http_access deny CONNECT
> > !SSL_ports
> >
> > # Example rule allowing access from your local networks.
> > # Adapt localnet in the ACL section to list your (internal) IP
> > networks # from where browsing should be allowed http_access allow
> > localnet http_access allow localhost
> >
> > # We strongly recommend the following be uncommented to protect
> > innocent # web applications running on the proxy server who think the
> > only # one who can access services on "localhost" is a local user
> > #http_access deny to_localhost
> >
> > # And finally deny all other access to this proxy http_access deny all
> >
> > # Squid normally listens to port 3128
> > http_port 3128
> > http_port 127.0.0.1:3129 tproxy
> >
> > # Real squid memory cache
> > cache_mem 1500 MB
> > maximum_object_size_in_memory 8 MB
> >
> > # Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64
> > minimum_object_size 3 KB maximum_object_size 8 MB
> >
> > # Uncomment and adjust the following to add a disk cache directory.
> > cache_dir ufs /var/squid/cache 200 16 256
> >
> > # IP & DNS names memory cache
> > ipcache_size 5120
> > fqdncache_size 5120
> >
> > # File descriptor number
> > #max_filedescriptors 4096
> >
> > # Public exposed hostname
> > visible_hostname openfw.local
> >
> > # Added to footer of error pages.
> > cache_mgr [hidden email]
> >
> > # Log client request activities
> > access_log /var/squid/logs/access.log squid
> >
> > # Log information about the cache's behavior cache_log
> > /var/squid/logs/cache.log
> >
> > # Leave coredumps in the first cache dir coredump_dir /var/squid/cache
> >
> > # Add any of your own refresh_pattern entries above these.
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Romain FABBRI - Alien Consulting
In this topology :

                Computers <=> Switch <=> Webfiltering bridge <=> Router <=>
Internet



Without a bridge, a system with 2 network cards won’t let :

-          data from the Computers going to the Router.

-          data from the Router going to the Computers



How do you make it work without a bridge ???

-          Maybe you’re talking about a single network interface system with
just a proxy function on it

o   But no real security would be added in this topology, since you can
bypass the proxy

-          There could be a way to activate packets forwarding, but as far
as I know forwading requieres 2 networks





De : carlos albino garcia grijalba [mailto:[hidden email]]
Envoyé : jeudi 9 janvier 2014 07:16
À : Romain FABBRI - Alien Consulting; [hidden email]; 'Cremator'
Cc : 'Misc OpenBSD'
Objet : RE: Transparent proxy with Squid on OpenBSD 5.4



ok but why do u need the bridge? i think that u want it to be there for
intercept the web and let all pass but u can do this without the bridge part
intercepting the web requests and then letting all the other go to router
not sure if the bridge can do this because its function its to be there but
the packets does not know that it is there i mean as far as i know (correct
me if i am wrong) they operate in layer 2 so it never reach higher leves
where interception works

> From:  <mailto:[hidden email]>
[hidden email]
> To:  <mailto:[hidden email]> [hidden email];
<mailto:[hidden email]> [hidden email];
<mailto:[hidden email]> [hidden email]

> CC:  <mailto:[hidden email]> [hidden email]
> Subject: RE: Transparent proxy with Squid on OpenBSD 5.4
> Date: Thu, 9 Jan 2014 00:18:43 +0100
>
> In fact here is the topology I had in mind :
>
> Computers <=> Switch <=> Webfiltering bridge <=> Router <=> Internet
>
> Since I want my system to do both :
> - the bridge role
> - webfiltering
>
> ... without adding a network (I mean adding a network and make the
> Webfiltering box route beetween the two subnets)
>
> I think it is necessary to build a bridge...
> And that the design should work...
>
> But I'm still strugling on this matter.
>
>
> -----Message d'origine-----
> De :  <mailto:[hidden email]> [hidden email] [
<mailto:[hidden email]> mailto:[hidden email]] De la part de
> carlos albino garcia grijalba
> Envoyé : mercredi 8 janvier 2014 21:29
> À : Romain FABBRI - Alien Consulting;  <mailto:[hidden email]>
[hidden email]; 'Cremator'
> Cc : 'Misc OpenBSD'
> Objet : Re: Transparent proxy with Squid on OpenBSD 5.4
>
> i agree with giancarlo why do u need the bridge function? for transparent
> proxy u dont need the bridge
>
> > From:  <mailto:[hidden email]>
[hidden email]
> > To:  <mailto:[hidden email]> [hidden email];
<mailto:[hidden email]> [hidden email]

> > CC:  <mailto:[hidden email]> [hidden email]
> > Subject: Re: Transparent proxy with Squid on OpenBSD 5.4
> > Date: Fri, 3 Jan 2014 17:57:37 +0100
> >
> > I didn't investigate the bridge in itself since it seems to be working
> > as a bridge...
> >
> > #===============================
> > # Bridge configuration
> > #===============================
> >
> > #vi /etc/hostname.bge0
> > up
> >
> > #vi /etc/hostname.bge1
> > up
> >
> > #vi /etc/hostname.vether0
> > inet 192.168.200.253 255.255.255.0 192.168.200.255
> >
> > #vi /etc/hostname.bridge0
> > add vether0
> > add bge0
> > add bge1
> > up
> >
> > #vi /etc/mygate
> > 192.168.200.254
> >
> > #===============================
> > # PF configuration
> > #===============================
> > # Macros & Tables
> > ext_if="bge0"
> > int_if="bge1"
> >
> > # Options
> > set reassemble yes no-df
> >
> > # Redirect www to our transparent squid proxy pass in quick log on
> > $int_if inet proto tcp from 192.168.200.0/24 to port
> 80
> > divert-to 127.0.0.1 port 3129
> > pass out quick on $int_if inet from 192.168.200.0/24 divert-reply
> >
> > # Allow TerminalServer
> > pass quick inet proto tcp from any to any port 3389 keep state
> >
> > # Allow SSH
> > pass quick inet proto tcp from any to 192.168.200.253 port ssh
> >
> > # NTP
> > pass out quick proto udp from $int_if to any port 123 keep state
> >
> > # Allow mail
> > pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995
> > }
> keep
> > state
> >
> > # Allow Ping/Traceroute/DNS
> > pass quick inet proto udp from any to any port domain pass quick inet
> > proto tcp from any to any port domain flags S/SA synproxy state pass
> > quick inet proto icmp all icmp-type { echoreq, unreach } keep state
> >
> >
> > #=======================================
> > # Squid configuration
> > #=======================================
> >
> > # Only usefull for Squid 2.7
> > #acl localhost src 127.0.0.1/32
> > #acl manager proto cache_object
> > #acl all src 0.0.0.0/0.0.0.0
> >
> > # Interfacage avec SquidGuard
> > url_rewrite_program /usr/local/bin/squidGuard -c
> > /etc/squidguard/squidguard.conf
> >
> > # Number of redirector processes to spawn url_rewrite_children 5
> >
> > # To prevent loops, don't send requests from localhost to the redirector
> > url_rewrite_access deny localhost
> >
> > # Only allow cachemgr access from localhost http_access allow
> > localhost manager http_access deny manager
> >
> > # Define sources
> > acl localnet src 192.168.200.0/24
> >
> > # Define ports
> > acl SSL_ports port 443
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> >
> > # Deny requests to certain unsafe ports http_access deny !Safe_ports
> >
> > # Deny CONNECT to other than secure SSL ports http_access deny CONNECT
> > !SSL_ports
> >
> > # Example rule allowing access from your local networks.
> > # Adapt localnet in the ACL section to list your (internal) IP
> > networks # from where browsing should be allowed http_access allow
> > localnet http_access allow localhost
> >
> > # We strongly recommend the following be uncommented to protect
> > innocent # web applications running on the proxy server who think the
> > only # one who can access services on "localhost" is a local user
> > #http_access deny to_localhost
> >
> > # And finally deny all other access to this proxy http_access deny all
> >
> > # Squid normally listens to port 3128
> > http_port 3128
> > http_port 127.0.0.1:3129 tproxy
> >
> > # Real squid memory cache
> > cache_mem 1500 MB
> > maximum_object_size_in_memory 8 MB
> >
> > # Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64
> > minimum_object_size 3 KB maximum_object_size 8 MB
> >
> > # Uncomment and adjust the following to add a disk cache directory.
> > cache_dir ufs /var/squid/cache 200 16 256
> >
> > # IP & DNS names memory cache
> > ipcache_size 5120
> > fqdncache_size 5120
> >
> > # File descriptor number
> > #max_filedescriptors 4096
> >
> > # Public exposed hostname
> > visible_hostname openfw.local
> >
> > # Added to footer of error pages.
> > cache_mgr  <mailto:[hidden email]> [hidden email]
> >
> > # Log client request activities
> > access_log /var/squid/logs/access.log squid
> >
> > # Log information about the cache's behavior cache_log
> > /var/squid/logs/cache.log
> >
> > # Leave coredumps in the first cache dir coredump_dir /var/squid/cache
> >
> > # Add any of your own refresh_pattern entries above these.
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Giancarlo Razzolini-3
Em 09-01-2014 08:13, Romain FABBRI - Alien Consulting escreveu:

>
> In this topology :
>
>                 Computers <=> Switch <=> Webfiltering bridge <=>
> Router <=> Internet
>
>  
>
> Without a bridge, a system with 2 network cards won't let :
>
> -          data from the Computers going to the Router.
>
> -          data from the Router going to the Computers
>
It will, that is what nat was created for, and openbsd with pf does it
handsomely. They won't operate as if they were on the same network
though (broadcast). Which is a security feature, from my point of view.

>
>  
>
> How do you make it work without a bridge ???
>
> -          Maybe you're talking about a single network interface
> system with just a proxy function on it
>
> o   But no real security would be added in this topology, since you
> can bypass the proxy
>
> -          There could be a way to activate packets forwarding, but as
> far as I know forwading requieres 2 networks
>
>  
>
>
If you use your openbsd box as the gateway, not as a transparent bridge,
not only will you be able to achieve transparent interception with
squid, as you'll have all the other nice features it come along with it.
I believe that a transparent bridge could work, with an extra effort,
but I would need to rig me a setup to test it. But if you have control
over the router, I strongly suggest using 2 nics, and the openbsd
machine as your network gateway.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy with Squid on OpenBSD 5.4

Barbier, Jason
In my personal setup to prevent data leakage id leave the internal
adapters bridged then remove the external adapter from the bridge, then
for IPv4 you can just do standard natting for anything that needs to
leave the network but doesnt need to hit the proxy using the rdr-to
rules, then IPv6 is totally routed so there is just some internal
routing that goes on to exchange between the adapters.

On 1/9/2014 4:38 AM, Giancarlo Razzolini wrote:

> Em 09-01-2014 08:13, Romain FABBRI - Alien Consulting escreveu:
>> In this topology :
>>
>>                  Computers <=> Switch <=> Webfiltering bridge <=>
>> Router <=> Internet
>>
>>  
>>
>> Without a bridge, a system with 2 network cards won't let :
>>
>> -          data from the Computers going to the Router.
>>
>> -          data from the Router going to the Computers
>>
> It will, that is what nat was created for, and openbsd with pf does it
> handsomely. They won't operate as if they were on the same network
> though (broadcast). Which is a security feature, from my point of view.
>>  
>>
>> How do you make it work without a bridge ???
>>
>> -          Maybe you're talking about a single network interface
>> system with just a proxy function on it
>>
>> o   But no real security would be added in this topology, since you
>> can bypass the proxy
>>
>> -          There could be a way to activate packets forwarding, but as
>> far as I know forwading requieres 2 networks
>>
>>  
>>
>>
> If you use your openbsd box as the gateway, not as a transparent bridge,
> not only will you be able to achieve transparent interception with
> squid, as you'll have all the other nice features it come along with it.
> I believe that a transparent bridge could work, with an extra effort,
> but I would need to rig me a setup to test it. But if you have control
> over the router, I strongly suggest using 2 nics, and the openbsd
> machine as your network gateway.
>
> Cheers,